This dumb password rule is from State Bank of India (Foreign Travel Card).

State Bank of India is the largest government operated bank in India.
They offer "travel" prepaid cards for foreign currencies, this is for
their portal for the prepaid card users to manage their account.

Your password must:
- Be between 8 and 9 characters long
- Contain at least 1 lowercase c...

https://dumbpasswordrules.com/sites/state-bank-of-india-foreign-travel-card/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Does anyone have #fediverse or #mastodon stats (preferably from a few different servers) about numbers of bad-faith actors being identified, banned, etc.? I've become pretty interested in this from a methodological point of view. I'm thinking of running some #moderation simulations to explore possibilities in a "calculate some stuff and make some graphs" way. Actually, if someone already did that, I'd be keen to read it.

I'm interested in how to detect "bad eggs," realizing as I think about it that I don't even know all the questions to ask, and this entire line of investigation has some thorny issues I'll need to deal with. I think infosec.exchange might, in some ways, be the perfect server to be on for this, because I am pretty sure that #cybersecurity has huge overlap with this whole domain.

#advice is helpful. #data is even more helpful.

#moderators #BadActors #infosec #socialmedia

This dumb password rule is from IRS.

Password rules:
- Between 8 and 32 characters long
- Must contain at least one numeric and one special character (!@#$%&*)
- At least one uppercase and at least one lowercase letter

https://dumbpasswordrules.com/sites/irs/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

💡 Not all “VPN MFA” means the same thing.

Setup-level 2FA: checked once during device enrollment.

Connection-level MFA: required every time a session starts.

If someone steals the VPN key (the static config with the private key), setup-level 2FA won’t block the connection, because it’s not involved in the handshake.

Connection-level MFA is.

In Defguard, MFA is built into the WireGuard® session flow.

More: https://defguard.net/vpn_mfa/

#Cybersecurity #VPN #Enterprise

Alt...

Graphic with the Defguard logo and the headline “The ‘Stolen Key’ Problem”. Subheadline reads: “The critical difference between ‘Setup 2FA’ and ‘Connection-Level’ security.” The background is blue with abstract icons representing email, face ID, fingerprint, and password.

This dumb password rule is from Credit Union Australia (CUA) Health.

Password must be between 7 and 10 characters, contain both an uppercase and a lowercase letter and have at least one number.

https://dumbpasswordrules.com/sites/credit-union-australia-cua-health/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

As LLM’s take over the world, a reminder that you can still buy hand crafted, small batch collections of words.

Stand out from the crowd this holiday season with a Mike Sheward InfoSec book - written the old fashioned way - by hand, and fueled by an undying rage that can only exsist in someone who uses JIRA.

Available wherever you buy books and also Walmart for some reason.

Learn more at https://infosecdiaries.com.

#infosec #books #cybersecurity #dfir #pentesting #blueteam #redteam

Alt...

a collection of Mike Sheward Books under a festive fern

Chrome now wants to store and autofill your driver’s license and other ID info.

From a cybersecurity perspective, that is a hard no from me. Info-stealer malware already targets browser autofill, and you cannot rotate a driver’s license number like a password. Putting high value IDs in the most targeted consumer app on the planet is a bad trade for a little convenience.

I wrote up why this feature is such a risky idea and what I recommend instead:

🔗 https://www.kylereddoch.me/blog/chromes-new-drivers-license-autofill-is-a-terrible-idea/

#Infosec #Privacy #Chrome #Cybersecurity

This dumb password rule is from PizzaHut.

Passwords must be greater than 6 characters, and have an arbitrary set of rules we don't tell you about until after you try to set your password.

https://dumbpasswordrules.com/sites/pizzahut/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from CenturyLink Residential.

Your password is too long. But how long can it be? Oh, we won't tell you.

https://dumbpasswordrules.com/sites/centurylink-residential/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Rogers.

I can only use 4 special characters?

Password guidelines
- Your password should be between 8-20 characters and have at least one number and one letter.
- The following special characters are allowed: ! @ # $

https://dumbpasswordrules.com/sites/rogers/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Suncorp.

To "improve security" and "be password savvy", passwords must:
- be six to eight characters long
- Contain both numbers and letters
- Include upper and lowercase letters

https://dumbpasswordrules.com/sites/suncorp/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Craigslist.

No minimum character limit meaning you can go as low as 5 characters for a password

https://dumbpasswordrules.com/sites/craigslist/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Admiral.

Restrict the inclusion of a % character.

https://dumbpasswordrules.com/sites/admiral/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from CENLAR.

Your password can meet all the requirements in the list and still be invalid due to
an unspecified rule: any "special characters" that are not listed in the help text
are not allowed. Worse, it provides no useful feedback other than the "New Password"
field is red.

https://dumbpasswordrules.com/sites/cenlar/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Capital One.

- May only use the following characters: Aa-Zz 0-9 - _ . / \\ @ $ * & ! #
- No spaces

https://dumbpasswordrules.com/sites/capital-one/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Under the hood quiet progress to keep your machine secure:

"Fedora Linux 43 will be the first release with RPM 6.0. Like I said, this should go unnoticed to end-users, but it is a significant change. RPM 6.0 provides some interesting security enhancements, like multiple key signing of packages. This should help future-proof package signing as we transition to post-quantum-crypto OpenPGP keys in future releases."

➡️ https://fedoramagazine.org/announcing-fedora-linux-43/

#Fedora #Security #InfoSec #Cybersecurity #Linux

> "This raises an important question: if AI models can be misused for cyberattacks at this scale, why continue to develop and release them? The answer is that the very abilities that allow Claude to be used in these attacks also make it crucial for cyber defense."

Guys, we need to use #AI to defend ourselves against AI!

What could go wrong?

https://www.anthropic.com/news/disrupting-AI-espionage

#cybersecurity #infosec

🤡 Cisco hat uns heute für Anfang Januar ein exklusives Interview mit deren Deutschland-Chef angeboten. Digitalisierung und Deutschland und blabla. Mein Kollege von ZEIT ONLINE so: Klar machen wir gerne, wir haben da ja auch noch ein paar Fragen. Verweist auf meine #Webex-Recherche, bei der Cisco die Kommunkation abgebrochen hat.

Vereinbart Termin, alles klar.

Eine Stunde später ruft die Agentur wieder an: Cisco will doch nicht mit uns sprechen.

#cisco #Cybersecurity

Hahahaha, was bitte hat Cisco für eine Idee von Journalismus?

Cisco sucht jetzt also für ein exklusives Interview Anfang Januar ein deutsches Medium, das keine kritischen Fragen stellt. Ich bin echt gespannt, wer das macht.

#cisco #webex #cybersecurity

This dumb password rule is from Synchrony Financial.

Financial services - where we don't allow you to create the strongest
password possible.

https://dumbpasswordrules.com/sites/synchrony-financial/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Is Ofcom coming for VPNs?

Monitoring their use through the narrow lens of whether the UK Online Safety Act is working is shortsighted.

"It’s important to note VPNs can help protect children's security online too, they aren’t just used to avoid content blocks."

🗣️ ORG's @JamesBaker

https://www.techradar.com/vpn/vpn-privacy-security/exclusive-ofcom-is-monitoring-vpns-following-online-safety-act-heres-how

#vpn #onlinesafetyact #onlinesafety #osa #ofcom #privacy #security #cybersecurity #ukpolitics #ukpol

🚨 Beware of a new phishing scam sending fake security alerts from your own email domain! Attackers steal credentials via realistic login pages prefilled with your email. Stay alert, use MFA, and verify alerts independently. Protect your inbox now! 🔐⚠️ #Cybersecurity #PhishingAlert #EmailSafety https://gbhackers.com/email-logins/
#newz

@nemo

> Multi-factor authentication (MFA) remains essential even if credentials are compromised, an attacker without access to the secondary authentication method cannot penetrate the account.

MFA didn't do a damn thing to save my mom from being phished a few weeks ago. Unsuspecting victims of phishing schemes like these will enter their MFA code along with their password, et voila, they are owned.

A solution to this problem is sorely needed, and MFA is not it.

#cybersecurity #infosec

@deadinside

Most people don't have a tech-savvy concierge standing next to them every time they use a computer or phone.

People need to be able to look after their own security.

And even if that could be done, it wouldn't work. I'm computer- and security-literate and even I could be fooled by some of these phishing schemes.

The real solution is credentials that are impossible to phish, i.e. asymmetric keys.

@nemo

#cybersecurity #infosec

@deadinside

This incident was especially egregious as it was my mom's bank account that was phished.

Banks are the one kind of business that already gives all of its customers a hardware authentication token (a debit card).

I see no good reason why these cards shouldn't also have a USB connector on them, and a corresponding FOSS PKCS#11 driver for Windows/macOS/Linux/etc, to use for authenticating to the bank's website. Browsers already support this right now!

@nemo

#cybersecurity #infosec

This dumb password rule is from Bank Leumi (Israel).

- Password consists of 6 to 12 characters
- Password contains only english letters and numbers without spaces.

https://dumbpasswordrules.com/sites/bank-leumi-israel/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@GossiTheDog

Yeah, my mom almost got duped by one of these full-screen phishing sites.

It even somehow disabled the Esc key! I told her to try a bunch of keyboard shortcuts to escape from it. Command+W (it's a Mac) finally worked.

Memorizing that shortcut should NOT have been necessary!!!

#Browser full-screen APIs should still show a bit of browser chrome at the top of the screen so you know you're looking at, and have a way to escape from, a full-screen web page.

#cybersecurity #infosec

This dumb password rule is from Sampath Bank.

So many rules!

https://dumbpasswordrules.com/sites/sampath-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

"Threat hunters have uncovered similarities between a banking malware called Coyote and a newly disclosed malicious program dubbed Maverick that has been propagated via WhatsApp.

According to a report from CyberProof, both malware strains are written in .NET, target Brazilian users and banks, and feature identical functionality to decrypt, targeting banking URLs and monitor banking applications. More importantly, both include the ability to spread through WhatsApp Web.

Maverick was first documented by Trend Micro early last month, attributing it to a threat actor dubbed Water Saci. The campaign involves two components: A self-propagating malware referred to as SORVEPOTEL that's spread via the desktop web version of WhatsApp and is used to deliver a ZIP archive containing the Maverick payload.

The malware is designed to monitor active browser window tabs for URLs that match a hard-coded list of financial institutions in Latin America. Should the URLs match, it establishes contact with a remote server to fetch follow-on commands to gather system information and serve phishing pages to steal credentials."

https://thehackernews.com/2025/11/whatsapp-malware-maverick-hijacks.html

#CyberSecurity #WhatsApp #Malware #Brazil #Banks

This dumb password rule is from Microsoft (e company store).

Max of 16 character oh and please don't use any characters we don'y know how to escape properly
also if it starts with ? you may break our wonderful website. What out with your password generator
duplicated characters is far too insecure to allow here.

https://dumbpasswordrules.com/sites/microsoft-e-company-store/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Mobi Bike Share.

Your PIN (which is the password you use to login, which lets you, say, buy hundreds of dollars worth of bike-share subscriptions off the saved credit card) must be four numeric digits. Helpfully, they even give you an example of a PIN: *1234*.

https://dumbpasswordrules.com/sites/mobi-bike-share/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from myRTA.

The Roads and Traffic Authority's 'Online Services' website for New South Wales, Australia.
Password rules:
- Must be between 6 and *10* characters long
- Must be a combination of letters and numbers
- Cannot be the same as any of the previous two passwords, including the current password
- Is ca...

https://dumbpasswordrules.com/sites/myrta/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

The Louvre’s surveillance password was literally… “Louvre.” 😳

Here are 3 password manager tips from Tuta you need to hear 👇

Tip 1: Use strong, unique passwords
Tip 2: Never reuse passwords
Tip 3: Enable 2FA (two-factor authentication)

#CyberSecurity #JewelryLourve #Lourvepassword

This dumb password rule is from USAA Bank.

Password cannot be longer than 12 characters but they don't tell you that until after you try a new password. To make up for this fact they've added dubious additional security features on top of this weak foundation.

https://dumbpasswordrules.com/sites/usaa-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Trenord.

- Password must consist of 8-16 characters
- Must contain 3 out of 4 of the following: lowercase characters, uppercase character, digits (0-9), and one or more of the following symbols: @#$%^&*-_+=[]{}|\:',?/`~“();.

https://dumbpasswordrules.com/sites/trenord/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Easyjet.

No more than 20 characters, use any symbols you like... Oh except #, &, +, or space of course.

https://dumbpasswordrules.com/sites/easyjet/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Several malicious packages on NuGet have sabotage payloads scheduled to activate in 2027 and 2028, targeting database implementations and Siemens S7 industrial control devices.

Malicious NuGet packages drop disruptive 'time bombs' https://www.bleepingcomputer.com/news/security/malicious-nuget-packages-drop-disruptive-time-bombs/

#infosec #cybersecurity

This dumb password rule is from NVV (Nordhessische VerkehrsVerbund).

Password length must be 4 to 10 characters with only a few special characters allowed.

https://dumbpasswordrules.com/sites/nvv-nordhessische-verkehrsverbund/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Very.co.uk.

Password field allows *only* the listed Special Characters ($ . , ! % ^ \*).
You're also forced to use both upper, and lower letters, as well as a number.

https://dumbpasswordrules.com/sites/very-co-uk/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Whitcoulls.

Your password must:
- be between 7 and 15 characters
- contain a capital letter
- have no spaces (shown only when you go to change it)

https://dumbpasswordrules.com/sites/whitcoulls/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from MKB NetBankár.

It only accepts lowercase letters, uppercase letters and numbers (any
other character counts as forbidden character).
Also, if your password contains any invalid character, it will get
marked as "Identical to the former 10 passwords".

To make it more fun, during the registration, it allows to se...

https://dumbpasswordrules.com/sites/mkb-netbankar/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Others have already shared this, but I want to share it separately. #AI is not creating undetectable, advanced #malware. It’s just not happening.

Thanks to @dangoodin for a great article.

#infosec #cybersecurity

https://arstechnica.com/security/2025/11/ai-generated-malware-poses-little-real-world-threat-contrary-to-hype/

This dumb password rule is from MarketWatch.

- Cannot be longer than 15 characters.
- Must contain one number.
- Cannot contain spaces, %, & or +.

https://dumbpasswordrules.com/sites/marketwatch/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

I finally did it.

I unfollowed #cybersecurity. It had become terminally LinkedInified here. Absolutely nothing of substance was being shared.